However, some citizens have false notion that for unauthorized transactions to take place, fraudsters mandatorily require OTP. Cyber criminals have started reaping benefits of this notion, to commit frauds. They ask for credit card details, suggesting that for online transactions, OTP is must, thus sharing card details is not unsafe.

Many gullible citizens fall to their trap, leading to their victimization. Hence, this write up is about, requirement of OTP for online transactions and various Modus Operandi that cyber criminals employ, to know your OTP without you telling it.

In essence, we shall understand, whether it’s possible for a fraudster to commit fraud, even without sharing OTP details. Also, remedial measures shall be discussed towards the end, to prevent being victims of such frauds.

Why OTP is Needed for Bank Transactions in India?Reserve Bank of India had introduced a new guideline for Tele Shopping / Mobile / Interactive Voice Response Transaction, done using credit card. As per the guideline, all such transactions required an additional password validation, starting from January 1, 2011.

The idea was to prevent credit card abuse and frauds, and to secure all such transactions done over the Mobile or Interactive Voice Response system. Before this guideline, a credit card transaction over an IVR system required the following:

Credit card number

Card Expiry date

CVV Number

So, with stolen credit cards, fraudsters were able to make fraudulent transactions, as all the details were present on the card itself. However, after this guideline, two additional things were needed to perform an online transaction.

Mobile Number

IVR 3D Secure OTP (One Time Password)

So, even if you lost your credit card, the fraudsters were unable to generate the OTP for fraudulent transactions.

RBI Dec 6, 2016 Guidelines: RBI had been receiving requests from several stakeholders to review and relax the 2FA requirements, at least for low value transactions. In light of demonetization and to promote cashless payments, RBI relaxed the OTP rules for online transactions (or Card Not Present transactions) under the value of Rs 2,000 on December 6, 2016.

As per the new rule, customers need to opt-in for this facility and complete one time registration to avail its benefits. The registration process includes entering card details and a password authenticated by the card network.

One the registration is complete, users don’t need to re-enter the card details for every transaction at merchant website or app. The card details act as first factor of authentication and the credentials used to login into the solution act as second factor of authentication.

Ways for Fraudster to Gather OTP without you Sharing it?Fraudsters deploy certain methods to know your OTP, without you revealing it. These methods include:

Method 1: Screen Recording Apps:

Step 1: Fraudster impersonate as representative of a bank or any other financial institution like RBI, telecom service provider etc. To make the call sound legitimate, they proceed with verification questions like name, DoB, mobile number etc.

Step 2: Fraudsters then ask you to download an app, which gives remote access to your mobile phone to carry out fraudulent transactions via UPI. Examples of such apps include Any Desk, Team Viewer, Screen Share or any other third party app.

Step 3: After you install the app, the fraudsters ask you to share the code, following which they get complete access to your device, without you even knowing it.

Step 4: Now fraudsters can steal your passwords and transact with your UPI account. They need not ask OTP from you any longer, for making unauthorized transactions from your account.

You may be surprised to know, that to install spy app in your phone, it hardly requires 100 seconds. Once the spy app is installed into your device, it starts relaying data to the cloud. Using the login credentials, the fraudster can then see all the data being stored in the cloud. E.g., cloud of Free Tracker Mobile.

Don’t share your card details: Refrain from sharing credit card details to any stranger, irrespective of the deal. Always remember, that banks and other financial institution, will never call you to ask sensitive personal information. Further, to check the authenticity of unknown numbers, you may use free apps like Eyecon, Truecaller etc.

Be cautious of malicious apps: Fraudster create fake mobile apps, similar to original bank apps and upload them on the Google Play Store. When a person, accidentally installs the fake app and provides the necessary permissions, it starts sending sensitive data to the fraudster. E.g., Modi BHIM, BHIM Modi, Modi ka BHIM apps etc.

Do not download and install third-party apps: Such as Screen Share, Any Desk, Team Viewer etc. Always use apps downloaded from the official Google play store (for Android) or App Store (for iPhones). This applies to bank apps as well.

Don’t share phone with strangers: As discussed, it hardly takes couple of minutes to bug a phone. Similarly, don’t place the SIM linked with the bank account in smart-phone. Rather, keep it in basic mobile phone, as it can’t be hacked.

Other Suggestions:

If you receive any suspicious text message or a message with link from unknown number, better ignore it or visit the nearest bank branch to confirm it.

Do not search for your app’s customer support numbers on Google or any social media. Visit the official website of your app or bank to find the customer-care number.

Be skeptical of someone calling you and offering freebies like cash-backs.

Do not post phone number linked with bank account on social media sites.

Conclusion:In digital world, one single mistake can compromise your phone, leading to fraudulent transactions. You should always vigilant and cautious.

Still, if you become victim of online fraud, then you lodge an FIR with the nearest police station/ cyber cell. Otherwise, you can use the online government portal – National Cyber Crime Reporting Portal – cybercrime.gov.in to report such fraudulent transactions.